Variables for configuring secure proxy administrative agents using the zpmt command

The zpmt command uses the values that you specify for the variables defined in a response file to create customization data and instructions for configuring a secure proxy administrative agent

Tip: See the sample response file in the app_server_root/zOS-config/zpmt/samples directory.

Server type

Server type (serverType)
Type of server to be created within this management profile

Profile information

Profile name (profileName)
The profile name is default.
Profile path (profilePath)
Profile path
Template path (templatePath)
Template path

Target dataset information

Target operating system (targetOS)
Target operating system
High-level qualifier (zTargetHLQ)
High-level qualifier for the target z/OS datasets that will contain the generated jobs and instructions
When a customization definition is uploaded to the target z/OS system, the customization jobs and files are written to a pair of partitioned datasets. While is it possible to reuse these datasets, it is safest to create separate datasets for each WebSphere Application Server for z/OS configuration. The best practice is to use the customization dataset name prefix (sometimes referred to as "config_hlq") to indicate the version and release of WebSphere Application Server for z/OS, the task that you are performing, and the cell (as well as the node name in some cases) that you are configuring. For example, you might use the following dataset name prefix for configuring a standalone WebSphere Application Server cell named TESTCELL for Version 8.0:
SYSPROG1.WAS80.TESTCELL.APPSERV
In this example, the following two datasets will be created when the customization definition is uploaded to the target z/OS system:
SYSPROG1.WAS80.TESTCELL.APPSERV.CNTL
SYSPROG1.WAS80.TESTCELL.APPSERV.DATA
The CNTL dataset will be a partitioned dataset (PDS) with fixed block 80-byte records that will contain the customization jobs. The DATA dataset will be a PDS with variable length data to contain the other customization data.
Rule: The high-level qualifier can consist of multiple qualifiers (up to 39 characters).
The generated batch jobs and instructions will be uploaded to two z/OS partitioned datasets:
HLQ.CNTL
Partitioned dataset with fixed block 80-byte records to contain customization jobs
HLQ.DATA
Partitioned dataset with variable-length data to contain other data contained in the customization definition
Tip: A multilevel high-level qualifier can be specified as the dataset high-level qualifier.

Common group configuration

Configuration group (zConfigurationGroup)
Allow OS security to assign GID (zConfigurationGroupGID)
Specify * to allow operating-system security to assign the group ID.
Assign user-specified GID (zConfigurationGroupGID)
Specify an ID to use a specific ID.
Rule: GID values must be unique numeric values between 1 and 2,147,483,647.
Servant group (zServantGroup)
Allow OS security to assign GID (zServantGroupGID)
Specify * to allow operating-system security to assign the group ID.
Assign user-specified GID (zServantGroupGID)
Specify an ID to use a specific ID.
Rule: GID values must be unique numeric values between 1 and 2,147,483,647.
Local user group (zLocalUserGroup)
Allow OS security to assign GID (zLocalUserGroupGID)
Specify * to allow operating-system security to assign the group ID.
Assign user-specified GID (zLocalUserGroupGID)
Specify an ID to use a specific ID.
Rule: GID values must be unique numeric values between 1 and 2,147,483,647.

System locations

System name (zSystemNane)
System name for the target z/OS® system on which you will configure WebSphere® Application Server for z/OS
Sysplex name (zSysplexName)
Sysplex name for the target z/OS system on which you will configure WebSphere Application Server for z/OS

Tip: If you are not sure what the system name (&SYSNAME) and sysplex name (&SYSPLEX) are, use the console command D SYMBOLS on the target z/OS system to display them.

PROCLIB (zProclibName)
An existing procedure library where the WebSphere Application Server for z/OS cataloged procedures are added

Configuration file system customization

Mount point (zConfigMountPoint)
Read/write file system directory mount point where application data and environment files are written

The customization process creates this mount point if it does not already exist.

Name (zConfigHfsName)
File system dataset that you will create and mount at the above mount point
Rule: You can specify up to 44 characters for the dataset name.
Directory path name relative to mount point (zWasServerDir)
Name of the directory where WebSphere Application Server for z/OS files reside after installation

See Product file system for more information.

Volume, or '*' for SMS (zConfigHfsVolume)
Specify either the DASD volume serial number to contain the above dataset or * to let SMS select a volume. Using * requires that SMS automatic class selection (ACS) routines be in place to select the volume. If you do not have SMS set up to handle dataset allocation automatically, list the volume explicitly.
Primary allocation in cylinders (zConfigHfsPrimaryCylinders)
Initial size allocation in cylinders for the above dataset
Recommendation: The minimum suggested size is 420 cylinders.
Secondary allocation in cylinders (zConfigHfsSecondaryCylinders)
Size of each secondary extent in cylinders
Recommendation: The minimum suggested size is 100 cylinders.
File system type (HFS or ZFS) (zFilesystemType)
This is the type of file system that will be used when creating the WebSphere for z/OS configuration file system. The default is HFS.

System information

Product file system directory (zSmpePath)
Name of the directory where WebSphere Application Server for z/OS files reside after installation

Read Product file system for more information.

Intermediate symbolic link? (zEnableIntermediateSymlink)
Specify true to set up an intermediate symbolic link, and specify the path name of that link if you select it.

If you specify an intermediate symbolic link, symbolic links are created from the configuration file system to the intermediate symbolic link; otherwise, they are created directly to the product file system.

The default value for zEnableIntermediateSymlink is true.

Intermediate symbolic link (zIntermediateSymlink)
The default value for zIntermediateSymlink is the zConfigMountPoint value appended by /wasInstall.

Server customization

Short cell name (zCellShortName)
Name that identifies the cell to z/OS facilities such as SAF
Rules:
  • Name must be eight or fewer characters and all uppercase.
  • Name must be unique among all other cells in the sysplex.
Long cell name (cellName)
Primary external identification of this WebSphere Application Server for z/OS cell

This name identifies the cell as displayed through the administrative console.

Rules:
  • Name must be 50 or fewer characters.
  • Name can be of mixed case.
  • Name must be unique among all other cells in the sysplex.
Short node name (zNodeShortName)
Name that identifies the node to z/OS facilities such as SAF
Rules:
  • Name must be eight or fewer characters and all uppercase.
  • Name must be unique within the cell.
Long node name (nodeName)
Primary external identification of this WebSphere Application Server for z/OS node

This name identifies the node as displayed through the administrative console.

Rules:
  • Name must be 50 or fewer characters.
  • Name can be of mixed case.
  • Name must be unique within the cell.
Short server name (zServerShortName)
This value identifies the server to z/OS facilities such as SAF.
Note: The server short name is also used as the server JOBNAME.
Rule: Name must be seven or fewer characters.
Long server name (serverName)
Name of the server and the primary external identification of this WebSphere Application Server for z/OS server

This name identifies the server as displayed through the administrative console.

Rules:
  • Name must be 50 or fewer characters.
  • Name can include mixed-case alphabetic characters.
  • For an administrative agent, the long name must be adminagent.
Cluster transition name (zClusterTransitionName)
WLM APPLENV (WLM application environment) name for this server
Rule: Name must be eight or fewer characters and all uppercase.
WebSphere Application Server user ID home directory (zUserIDHomeDirectory)
New or existing file system directory in which home directories for WebSphere Application Server for z/OS user IDs will be created by the customization process

Server address space information customization

In the following, names must be eight or fewer characters unless specified otherwise.

Controller information
Procedure name (zControlProcName)
Name of member in your procedure library to start the controller
Rule: Name must be seven or fewer characters.
User ID (zControlUserid)
User ID associated with the controller
Note: If you are using a non-IBM security system, the user ID might have to match the procedure name. Please refer to your security system's documentation.
UID (zControlUid)
User identifier associated with this user ID
Rule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
Servant information
Procedure name (zServantProcName)
Name of member in your procedure library to start the servant
Rule: Name must be seven or fewer characters.
User ID (zServantUserid)
User ID associated with the servant
Note: If you are using a non-IBM security system, the user ID might have to match the procedure name. Please refer to your security system's documentation.
UID (zServantUid)
User identifier associated with this user ID
Rule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.

TCP/IP information

Note: Do not choose port values already in use.
Node host name (hostName)
IP name or address of the system on which the server is configured

This value is used by other WebSphere Application Server for z/OS functions to connect to this server.

Note: The node host name must always resolve to an IP stack on the system where the application server runs. The node host name cannot be a DVIPA or a DNS name that, in any other way, causes the direction of requests to more than one system.
SOAP JMX Connector port (zSoapPort)
Port number for the JMX HTTP connection to this server based on the SOAP protocol

JMX is used for remote administrative functions, such as invoking scripts through wsadmin.sh.

Rule: Value cannot be 0.
Bootstrap port (zBootstrapPort)
Port for IIOP requests that acts as the bootstrap port for this server (BOOTSTRAP_ADDRESS)
Rule: Value cannot be 0.
Administrative interprocess communication port (zAdminLocalPort)
Port for the JMX connector that listens on the loopback adapter

The connector uses "local comm" communications protocol, which means that the port is used only for communications that are local to the z/OS system image (or sysplex).

Location service daemon customization

The location service daemon is the initial point of client contact in WebSphere Application Server for z/OS. The server contains the CORBA-based location service agent, which places sessions in a cell. All RMI/IIOP IORs (for example, for enterprise beans) establish connections to the location service daemon first, then forward them to the target application server.
Daemon home directory (zDaemonHomePath)
Directory in which the location service daemon resides

This is set to the configuration file system mount point/Daemon and cannot be changed.

Daemon job name (zDaemonJobname)
Job name of the location service daemon, specified in the JOBNAME parameter of the MVS start command used to start the location service daemon

Caution: When configuring a new cell, be sure to choose a new daemon job name value.

Note: A server automatically starts the location service daemon if it is not already running.
Procedure name (zDaemonProcName)
Name of the member in your procedure library to start the location service daemon
Rule: Name must be seven or fewer characters.
User ID (zDaemonUserid)
User ID associated with the location service daemon
UID (zDaemonUid)
User identifier associated with this user ID
Rule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
IP name (zDaemonIPName)
Fully qualified IP name, registered with the Domain Name Server (DNS), that the location service daemon uses

The default is your node host name.

Note:
  • In a sysplex, you should consider using a virtual IP address (VIPA) for the location service daemon IP name.
  • Select the IP name for the location service daemon carefully. Once you have chosen a name, it is difficult to change, even in the middle of customization. This name must not be a numeric, such as, 3.7.2543.
Daemon listen IP (zDaemonListenIP)
The default value is *.
Rule: The default is * or a numeric IP address.
Port (zDaemonPort)
Port number on which the location service daemon listens
Note: Select the port number for the location service daemon carefully. You can choose any value you want, but, once chosen, it is difficult to change, even in the middle of customization.
SSL Port (zDaemonSSLPort)
Port number on which the location service daemon listens for SSL connections
Register daemon with WLM DNS (zDaemonRegisterWlmDns)
If you use the WLM DNS (connection optimization), you must select true to register your location service daemon with it. Otherwise, select false.
Note: Only one location service daemon per LPAR can register its domain name with WLM DNS. If you have multiple cells in the same LPAR and register one location service daemon and then a second, the second will fail to start.

SSL customization

If you plan to enable administrative security at some point, as is recommended, fill in the following SSL values:
Certificate authority keylabel (zSSLCaKeylabel)
Name of the key label that identifies the certificate authority (CA) to be used in generating server certificates
Generate certificate authority (CA) certificate (zGenerateCaCertificate)
Select true to generate a new CA certificate. Select false to have an existing CA certificate generate server certificates.
Expiration date for certificates (zCaAuthorityExpirationDate)
Expiration date used for any X509 Certificate Authority certificates as well as the expiration date for the personal certificates generated for WebSphere Application Server for z/OS servers.

You must specify this even if you selected false for Generate Certificate Authority (CA) certificate.

Default SAF key ring name (zDefaultSAFKeyringName)
Default name given to the RACF® key ring used by WebSphere Application Server for z/OS

The key ring names created for repertoires are all the same within a cell.

Use virtual keyring for z/OS SSL clients (zUseVirtualKeyring)
Select true if you want to enable z/OS SSL clients using SAF Virtual Key Ring to connect to this WebSphere Application Server node without requiring each user to have the WebSphere Application Server keyring or the WebSphere Application Server CA certificate connected to it.
Enable SSL on location service daemon (zEnableSslOnDaemon)
Select true if you want to support secure communications using Inter-ORB Request Protocol (IIOP) to the location service daemon using SSL. If you specify true, a RACF key ring will be generated for the location service daemon to use.

Security customization

You can choose one of the following three options for administrative security.

Option 1: z/OS-managed security (zAdminSecurityType=websphereForZos)
Use the z/OS system's SAF-compliant security database to define WebSphere Application Server users. The EJBROLE profile will be used to control role-based access to applications. An administrator user ID and an unauthenticated user ID will be created and defined in the security database. Select this option if the WebSphere Application Server environment will run entirely on z/OS with a shared SAF-compliant (Local OS) user registry, or if you plan to implement a non-Local OS user registry (such as LDAP) with mapping to SAF user IDs.
Option 2: Product-managed security (zAdminSecurityType=websphereFamily)
Use a simple file-based registry to define WebSphere Application Server users. An administrator user ID will be created and defined in the file-based registry.
Option 3: No security (zAdminSecurityType=none)
Do not enable administrative security. This option is not recommended.

Your WebSphere Application Server environment will not be secured until you configure and enable security manually.

Depending on the security option you choose, there may be additional values you need to set.

Security customization—z/OS-managed security

For this security option, you must decide whether to set a SAF profile prefix and choose an administrator user ID as well as an unauthenticated (guest) user ID.

SAF profile prefix (zSecurityDomainId)
Set this to true if you wish to include a SAF profile prefix in certain SAF security checks (APPL, CBIND, EJBROLE). Enter a 1-8 SAF profile prefix.
Administrator user ID (zAdminUserid)
For Administrator user ID, enter a valid SAF user ID which will become the initial cell administrator. If this user ID already exists, it must have the WebSphere Application Server configuration group for this cell as its default UNIX® System Services group.
Administrator UID (zAdminUid)
Valid UID for this user ID
Rule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
Unauthenticated User ID (zAdminUnauthenticatedUserid)
Enter a valid SAF user ID which will be associated with unauthenticated client requests.
Unauthenticated UID (zAdminUnauthenticatedUid)
Valid UID for this user ID
Rule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
Enable writable SAF keyring support (zEnableWritableKeyring)
Select true if you want to enable writable SAF key ring support

Security customization—product-managed security

For this security option, you must choose an administrator user ID and password.

Administrator user ID (adminUserName)
Enter an alphanumeric user ID that you will use to log on to the administrative console and perform administrative tasks. This user ID and its password will initially be the only entry in the file-based user registry.
Administrator password (adminPassword)
This password must not be blank.

Security customization—no security

For this security option, there are no other choices to make. Your WebSphere Application Server environment will not be secured until you configure and enable security manually.

Security certificate customization

Default personal certificate
Issued to distinguished name (personalCertDN)
Identifier of the personal certificate
Issued by distinguished name (signingCertDN)
Identifier of the root signing certificate
Expiration period in years (personalCertValidityPeriod)
The default personal certificate is valid for one year. The maximum expiration is ten years.
Root signing certificate
Expiration period in years (signingCertValidityPeriod)
The default signing (root) certificate is a self-signed certificate. It has a default validation period of twenty years. The maximum validation period is twenty-five years.
Default keystore password (keyStorePassword)
The default value for the keystore password should be changed to protect the security of the keystore files and SSL configuration.

Job statement customization

Job statement 1 (zJobStatement1)
Job statement 2 (zJobStatement2)
Job statement 3 (zJobStatement3)
Job statement 4 (zJobStatement4)



Related information
Creating secure proxy administrative agents on z/OS using the Profile Management Tool
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 6, 2014 11:24:07 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-zos&topic=rins_defvarspaadef_cmdl
File name: rins_defvarspaadef_cmdl.html